Move Descope users, tenants, roles, authentication methods, and application sessions to Authdog while preserving stable source IDs. This guide covers export, mapping, credentials, staged cutover, rollback, and validation.
Prerequisites
- An Authdog tenant, project, and environment for staging rehearsal.
- Descope Management API access to export users, tenants, roles, permissions, access keys, and configured authentication flows.
- An inventory of every Descope SDK, flow ID, project ID, token validator, webhook, and SSO/SCIM integration.
- Defined cutover cohorts and rollback criteria.
Migration shape
- Inventory and export — capture users, tenants, access rules, flows, and connections.
- Map and import — preserve Descope IDs and recreate Authdog configuration.
- Parallel run — test controlled cohorts while Descope remains available.
- Cut over and retire — move remaining traffic, soak, then revoke old access.
1. Inventory Descope
| Descope resource | What to capture | Authdog target |
|---|---|---|
| Users | userId, login IDs, verified email/phone, status, custom attributes |
Users |
| Tenants | Tenant ID, name, domains, custom attributes | Organizations |
| Roles and permissions | Names, permission sets, tenant scope, assignments | Roles & permissions |
| Flows/auth methods | Password, OTP, magic link, OAuth, passkey, MFA steps | Authentication or custom flows |
| SSO and SCIM | Connection metadata, domains, group mappings | Integrations and provisioning |
| JWT/session settings | Custom claims, token lifetime, refresh behavior | Sessions & tokens |
Also inventory service access keys, invitations, trusted devices, risk rules, webhook consumers, redirect URLs, and any app logic that branches on Descope claims.
2. Export users and tenants
Use supported Descope Management API list/export endpoints with pagination. Retain:
- Descope
userIdas stable source identifier - Login IDs, primary email/phone, and verification state
- Name, picture, status, and custom attributes
- Tenant IDs and user-to-tenant memberships
- Tenant-scoped and global roles
- OAuth/SSO identity references available through supported APIs
- Created, updated, and last-login timestamps
Store Descope userId as the Authdog external identifier. Keep a separate descope_tenant_id → Authdog organization ID table. Login IDs, emails, and tenant names are mutable and must not replace stable IDs.
Password and authenticator strategy
Do not assume password hashes or authenticator secrets are exportable:
- Compatible hash import — only when Descope provides full hash material and Authdog confirms support for its algorithm, parameters, and encoding.
- Progressive migration — validate a password against Descope once through a server-side bridge, then establish an Authdog credential.
- Passwordless/SSO transition — use magic link, OAuth, or enterprise SSO for users without portable passwords.
- Re-enrollment — require new enrollment for passkeys, TOTP, trusted devices, or recovery codes unless explicit portability is confirmed.
Never log raw credentials or copy MFA seeds into general user metadata.
3. Map tenants, roles, and flows
Model Descope tenants as Authdog organizations when they represent customer workspaces. Create organizations first, then memberships and tenant-scoped roles. Map global Descope roles separately from organization roles, and test users belonging to multiple tenants.
Recreate social, SAML/OIDC, and SCIM connections with Authdog URLs and credentials. Translate group-to-role rules and deprovisioning behavior. See Provisioning.
Descope flows may contain branching, risk checks, forms, connectors, and custom claims. Map each step to Authdog authentication, components, or explicit backend logic; do not treat visual flow definitions as portable configuration.
4. Import and update applications
Import through console tooling or the REST Directory API:
- Upsert user profile and verified identifiers.
- Set Descope
userIdas external identifier. - Attach required custom attributes and suspend disabled users.
- Add organization memberships and mapped roles.
- Record credential/re-enrollment state.
Replace Descope SDK and flow entry points with Authdog (quickstarts). Configure the environment public key (pk_...), update redirects, and validate Authdog sessions on every backend. Rewrite code that expects Descope tenant, role, permission, or custom JWT claims. Replace webhooks and machine credentials explicitly.
5. Stage cutover and rollback
- Rehearse users, multi-tenant membership, each auth method, and authorization in staging.
- Export a baseline and reconcile deltas until production writes move.
- Move internal users, then one tenant or application cohort.
- Temporarily accept both issuers only in a measured compatibility layer.
- Monitor failures, duplicate identity links, MFA re-enrollment, role drift, and SCIM status.
- After soak, disable Descope flows/callbacks, revoke management and access keys, and remove old validation.
Rollback: route affected cohorts to Descope and restore its flow entry points. Keep Descope IDs and tenant mappings intact; choose one authoritative writer for users and memberships during parallel run.
Validation checklist
- User, tenant, membership, and role counts reconcile.
- Every Descope
userIdand tenant mapping is retained. - Password strategy tested without assuming hash portability.
- Passkey/MFA re-enrollment behavior is communicated and verified.
- Multi-tenant users receive correct organization-scoped access.
- OAuth, SSO, SCIM, callbacks, and logout pass end-to-end.
- APIs validate Authdog sessions and required authorization data.
- Delta reconciliation and rollback routing are tested.
- Descope keys and dual-issuer support are removed after soak.